From 5347eb4bd8d165d0ed7b6e8fe92b98c4acb91789 Mon Sep 17 00:00:00 2001 From: "Tukue G.Gebregergis" Date: Wed, 8 Apr 2026 16:06:21 +0200 Subject: [PATCH 1/2] Scope Trivy scan to app manifests and fix pod security context --- .github/workflows/platform-iac-ci.yml | 19 +++++++++++++++++++ README.md | 2 +- applications/gitops/base/sample-service.yaml | 4 ++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/workflows/platform-iac-ci.yml b/.github/workflows/platform-iac-ci.yml index a63041a..ba296fd 100644 --- a/.github/workflows/platform-iac-ci.yml +++ b/.github/workflows/platform-iac-ci.yml @@ -15,6 +15,7 @@ on: permissions: contents: read + security-events: write jobs: quality-gates: @@ -45,4 +46,22 @@ jobs: with: directory: . framework: cloudformation,terraform,github_actions + soft_fail: false + output_format: cli,sarif + output_file_path: console,results.sarif quiet: true + + - name: Upload Checkov SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: results.sarif + + - name: Static security scan (Trivy IaC misconfigurations) + uses: aquasecurity/trivy-action@v0.35.0 + with: + scan-type: config + scan-ref: applications/gitops/base + hide-progress: true + severity: CRITICAL,HIGH + exit-code: '1' diff --git a/README.md b/README.md index 81594ee..224c209 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ It is also curated as a **Platform Engineering consulting profile project** that - Secure-by-default guardrails and policy checks - Repository structure for multi-team and multi-environment operation - Backstage software template example for self-service service creation -- CI pipeline for platform IaC quality gates (fmt/validate/lint/security) +- CI pipeline for platform IaC quality gates (build/test/synth + Checkov + Trivy security scans) - GitOps-oriented app delivery guardrails - OPA/Conftest policy bundle for Kubernetes deployment security checks - Day-2 DX helpers via `Makefile` diff --git a/applications/gitops/base/sample-service.yaml b/applications/gitops/base/sample-service.yaml index dc45598..67c1a82 100644 --- a/applications/gitops/base/sample-service.yaml +++ b/applications/gitops/base/sample-service.yaml @@ -22,6 +22,10 @@ spec: labels: app.kubernetes.io/name: sample-service spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - name: app image: nginx:1.27.0 From 8efee5a8f0a2de9fed08ecdc9ffec47409a89e33 Mon Sep 17 00:00:00 2001 From: "Tukue G.Gebregergis" Date: Wed, 8 Apr 2026 16:13:14 +0200 Subject: [PATCH 2/2] Address CI SARIF resilience and nginx non-root runtime --- .github/workflows/platform-iac-ci.yml | 1 + applications/gitops/base/sample-service.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/.github/workflows/platform-iac-ci.yml b/.github/workflows/platform-iac-ci.yml index ba296fd..73d206a 100644 --- a/.github/workflows/platform-iac-ci.yml +++ b/.github/workflows/platform-iac-ci.yml @@ -53,6 +53,7 @@ jobs: - name: Upload Checkov SARIF report if: always() + continue-on-error: true uses: github/codeql-action/upload-sarif@v4 with: sarif_file: results.sarif diff --git a/applications/gitops/base/sample-service.yaml b/applications/gitops/base/sample-service.yaml index 67c1a82..07ad346 100644 --- a/applications/gitops/base/sample-service.yaml +++ b/applications/gitops/base/sample-service.yaml @@ -24,6 +24,8 @@ spec: spec: securityContext: runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 seccompProfile: type: RuntimeDefault containers: